What is an ISMS?
An ISMS is a collection of policies, procedures and measures. It is used to initiate and control information security measures. An ISMS also has the task of documenting these document, monitor and continuously improve them.
An ISMS therefore initially has nothing to do with a specific software solution. Rather, it is a framework. Tools such as "i-doit ISMS" come into play when it comes to documenting the progress of implementation. You use it to plan and document the implementation of measures. To do this, you define, for example, people and roles responsible for security or parts of it for all documented assets. One of these roles is the IT security officer.
The IT Security Officer
To be clear: Information security is a matter for the top management. For this reason, an ISMS is introduced according to the top-down approach. The guidelines are drawn up and approved by the management. The exact definition and implementation will be assigned to specific employees or managers. In doing so, you will define different roles. If you implement an ISMS, the nomination of an IT security officer is essential.
This person is integrated into all ISMS processes. He or she works closely with the IT managers. The IT security officer advises on tasks such as the selection of new IT components and applications. He is the first point of contact for all IT security issues. Since the IT security officer is appointed by the management, he or she usually reports directly to the management. He reports directly to the top management and usually has his own budget.
What are the benefits of an ISMS?
It's no secret: Implementing IT security management requires time and effort. However, this effort is more than justified. The positive effects of an ISMS clearly outweigh the initial effort.
Securing competitive advantages
All activities have the goal of protecting existing data. An ISMS can be adapted to the size and structure of a company. This makes it interesting not only for medium-sized companies and large corporations. An ISMS is also worthwhile for small companies. The positive effects range from transparent business processes to a positive external image. Companies that have implemented provable security measures secure competitive advantages.
Raising employee awareness
During ISMS implementation, you will design and establish processes and procedures and create the associated documents. This means that your employees will actively address the issue of information security. They will also be actively involved in the design process. In addition to the process-oriented and technical introduction of an ISMS, this has a decisive advantage. Your employees will develop a special sensitivity for the topic of "security".
Increasing data security
Through information security management, you drive the topic of information security forward. You improve the protection of your data, which are your company's key assets. Especially the data that is important for the "survival" of the company has a high need for protection. This includes, above all, personal data. This data is exposed to many threats. One of them is the loss of this data due to technical errors. Another is the theft of the data by third parties. Often, the origin of such theft is outside the company. However, an ISMS also takes into account the risk of internal data theft.
Detection of vulnerabilities
When implementing an ISMS, you analyze all existing business processes. In the process, you discover potential vulnerabilities that you didn't notice before. The entire risk assessment is taken to a new level. You gain clarity about which business processes are critical and which assets need special protection. The ISMS also provides for an independent audit of the processes. This ensures that vulnerabilities are uncovered that would not be noticed in an internal audit.
Faster restoration of the ability to act
An important component of an ISMS is an emergency plan. This ensures that operations can be resumed as quickly as possible after an incident. Damage can be minimized or prevented by such an emergency plan.
Plan investments better and secure competitive advantage
When planning budgets and investments, there is often a lack of a sound basis on which to make decisions in both a targeted and forward-looking manner. Almost all companies have the same problem: there are more than enough construction sites. So where is best to use our capital? After all, we don’t just want to mend existing holes, we want to position ourselves better than the competition.
Through the data in the ISMS you can immediately see which data and areas are not sufficiently protected. Conversely, this is where your investments currently create the greatest added value. The early recognition of risks and their consequences is always going to be an undeniably good use of your budget. It is not unusual for new risks to be identified in the course of an ISMS implementation. These have usually never been considered in this way before and are now given the highest priority.
A competitive advantage is also a certification according to ISO/IEC 27001. This means that customers are easily able to recognise that information security is implemented according to a recognised standard and therefore will provide a very high level of security. This will give you a clear advantage over your competitors, of being trusted. Furthermore, you can also audit your suppliers at any time. So you can check whether they provide the agreed services and whether the quality of these services is sufficient.
Companies and public authorities issue compliance guidelines when awarding contracts. Your company must comply with these guidelines when it applies for a contract. With an ISMS, you always have the relevant evidence you need to provide to hand and thus can easily meet deadlines.
Do ISMS and data protection belong together?
From a logical point of view, information security and data protection belong together. Data protection officers in particular would agree without reservation with this statement. In fact, however, data protection is not a separate component of an ISMS. Nor does the “data protection” component of the IT-Basic Protection Compendium belong to the formal certification of the BSI (German Federal Office for Information Security).
In contrast to the other modules of the IT-Basic Protection Compendium, the “data protection” module is based on the legal requirements of data protection law. It is also not included in the ISO27001 standard. Instead, the BSI uses this module to link information security and the requirements of the standard data protection model.
Data protection primarily concerns personal data. This has become particularly clear since the General Data Protection Regulation (GDPR) came into force. Nevertheless, data protection does not get special treatment in an information security management system. Personal data is treated in the ISMS just like all other data.
Nevertheless, data protection officers, whose primary concern is the security and processing of personal data, can calm down. After all, an ISMS generally serves to protect data and thus also to protect personal data. But people must not confuse data protection management with an ISMS. An information security management system, for its part, needs extensions in order to comply with data protection from a legal and technical point of view.
Standards and norms
The organisations ISO and IEC have written a collection of more than 20 standards relevant to information security. These are summarised in the number range 2700X. All these standards describe sub-areas of Information Security Management or IT Security.
Of particular interest for the topic “ISMS” is the standard ISO/IEC 27001, which contains specifications for the implementation, maintenance and continuous improvement of a documented information security management system. This standard also contains requirements for the assessment of security risks. The standard takes into account the special requirements of all types of organisations, from trading companies to non-profit organisations.
In most cases, an ISO27001 certification is recommended for companies. In the course of such a certification, implementation or fulfilment of the requirements of the standard is determined by an external auditor.
The evaluation of the audit report and the granting of the certificate is then carried out by a designated certification body. A successful certification is advantageous for every company. It enables them to demonstrate the introduction and implementation of an effective ISMS to customers and business partners.
ISO 27005 – IT Riskmanagement
While the standard ISO/IEC 27001 deals with the requirements for an ISMS, ISO 27005 describes the complex topics of “risk analysis and management”. The standard provides precise instructions for IT risk analysis. It contains an exact description of the processes to establish an efficient risk analysis within the company. In addition, ISO 27005 also provides a detailed description of the individual process steps.
The focus is on the assessment of risks and how to deal with them. The values of a company are directly or indirectly threatened by various factors. These can be, for example, weaknesses in systems/processes or different types of impacts that can affect the organisation.
In addition to the pure identification of risks, this area naturally also includes the management of measures. In this context, reference is made to ISO 27001 from the annexes of ISO 27005. This link ensures a systematic, documented procedure and continuous improvement of the processes.
The IT-Basic Protection Compendium of the BSI
The German Federal Office for Information Security (BSI) regularly publishes the IT-Basic Protection Compendium. This is an extensive collection of texts, the so-called IT-Basic Protection-Blocks. Each of these blocks deals with all security-relevant aspects of a specific topic. These topics include, for example, “Organisation and Personnel”, “Applications” and also “ISMS: Security Management. For each of these 10 modules, possible threats as well as important security requirements are listed.
These requirements are subdivided into basic requirements, standard requirements and requirements with increased need for protection. In this way, each company can decide individually which level of protection will be achieved.
Together with the BSI standards, this compendium forms a thematic basis for anyone who would like to deal with information security more intensively. Furthermore, certification according to this IT-Basic Protection Compendium is also possible. For this certification, the latest version of the compendium is always relevant.
BSI standard 100 vs. BSI standard 200
BSI Standards 100-1, 100-2 and 100-3 also deal with the establishment of an ISMS and risk management. They were issued by the German Federal Office for Information Security. They serve as a guide and orientation aid for companies to achieve a higher level of protection. The "100 series" was completely replaced by BSI Standards 200-1, 200-2 and 200-3 in October 2017.
BSI Standard 200-1 ("Management Systems for Information Security") describes the general requirements for an ISMS. This standard is directly compatible with the ISO/IEC 27001 standard. The recommendations and terminology of the ISO standard are also taken into account in this standard.
BSI 200-2 ("IT baseline protection methodology") forms the basis for implementing an ISMS. It contains three tried-and-tested procedures for implementing basic IT protection. Basic assurance first looks at the introduction of an ISMS. Core assurance describes a way of covering a smaller part of a larger IT network with an ISMS. Standard assurance then finally provides a description of a complete security process.
The BSI 200-3 standard ("Risk Management") bundles all risk-related work steps for implementing IT baseline protection. This includes the identification of elementary hazards, risk classification and the handling of risks. This standard is recommended for organizations that have already successfully addressed the IT baseline protection methodology. Compared to its predecessor BSI 100-3, the effort required to achieve a defined level of protection has been reduced in this new standard.
Implementation of an ISMS
Identifying protected areas
First of all, you must narrow down the scope of the ISMS. Possible protection areas are:
You need to be clear about the specific areas of protection that your ISMS should and must cover. Consider which information assets you need to protect and which interfaces can be used to access them. Think here about your own employees, customers, suppliers or other companies and service providers. Analyse the processes present here, as they ultimately play a decisive role.
Identifying and evaluating risk
After you have identified the protection aspects, the so-called items, the next step is to determine the risks. You not only have to identify them, but also assess them.
For this purpose you will find possible hazards in the corresponding catalogues. You apply these to the respective assets. In addition to the probability of occurrence, you should also consider which damage scenarios could occur when these hazards happen to the company. These could be, for example, financial damage, detriments to the company’s image or physical damage. You also need to consider the impact on confidentiality, integrity and availability of the assets. Once you have done this, you can very accurately assess the consequences of a security incident for the company.
Measures and responsibilities
For each possible risk you can now select different measures from the catalogue of measures. These can be used, for example, to reduce the probability of occurrence or to reduce the resulting damage.
Employees’ smartphones are often connected to various services in order to access important documents and customer data. A possible risk here would be “the loss of a smartphone”.
If the device is lost, unauthorized persons could access the data. In the worst case scenario, the data could be modified, sold or otherwise misused. The result would be financial and/or image damage.
One measure to reduce the extent of damage would be the possibility of remotely deleting the data on lost smartphones. Another measure would be the rollout of a security policy requiring 6-digit PIN codes on all mobile devices. This would significantly reduce the likelihood of data loss even if the device itself is lost.
Defining the measures is one task. Another is to monitor implementation. This must not be a temporary measure, it must be continuous.
The central element of an ISMS is the creation of processes that ensure regular monitoring of progress. This also includes a continuous improvement of the safety level.
For implementation, it is therefore necessary to nominate persons who are responsible for the implementation of the respective measures. According to the classic PDCA cycle ( Plan – Do – Check – Act ), the progress of the implementation of these measures is thus measured. In this way a continuous improvement of the ISMS is achieved.
The i-doit ISMS
The following measures must be adopted for the implementation of an ISMS:
The larger your company is, the more records you need to keep. The i-doit ISMS supports you in implementing an Information Security Management System, and this system enables you to keep this ISMS centrally available.
Whether you want to improve your company’s position in the future or achieve ISO27001 certification, our ISMS provides you with significant support in both preparation and implementation.
For all assets of your company you can:
- view risks
- determine internal and external (elementary) hazards
- implement preventative and corrective measures
These functions enable you to map and organise your entire risk management.
With the ISMS you receive the necessary catalogues of the BSI (IT-Basic Protection Compendium) as well as the ISO27001 and B3S. This completely eliminates the tedious creation of threats, weak points, dangers and measures.
Status and reporting of the implementation
The implementation of an ISMS involves a significant effort, which should not be underestimated. Recognising dangers and taking measures to counter them are important components. But the progress of the entire project and the implementation of the measures taken must also be traceable.
Our solution offers comprehensive documentation and reporting for each asset. In addition to the measures taken, this can include:
- persons in charge
- the progress of implementation
- evaluating the risk assessment according to group membership
The risk analysis of individual locations within a client is also supported.
Management and export of reports and documents
All assets can be processed centrally by different users. To do this, you can simply create users or connect your directory service such as Active Directory. You can seamlessly integrate your existing security groups and enable a precise configuration of access rights to the respective subject areas and assets. If required, you can compile all information in PDF documents or export them as Excel reports.
The advantages of the i-doit ISMS
The i-doit ISMS is a complete management suite for information security
according to ISO 27001 and IT baseline protection of the German Federal Office for Information Security (BSI)
Try i-doit pro
With i-doit pro, you not only build a central IT documentation.
You are also introducing a powerful tool that will save you time and money.
And i-doit pro can do much more.
Document every asset of your company.
Relate all assets in an ITIL-compliant CMDB.
Build a complete ISMS according to ISO 27001.
The basis for your business and IT processes and the setup of an ITSM.